Try this first
- 1Give every user with a hardware key at least two keys. A primary (key chain) and a backup (drawer at home or safe at the office). Register both in all systems at once, not after the first goes missing.
- 2For admins consider three keys: daily use, office safe, off-site at a colleague or in a safe-deposit box. Losing two at once becomes a genuinely rare event.
- 3Track which serial belongs to which user. On loss you block specifically in Entra (Authentication methods, FIDO2 security key, manage AAGUID and serial) so a finder cannot use it.
- 4For the Microsoft stack: keep at least two break-glass accounts, each with its own FIDO2 key in a physical safe. These accounts should not be in daily use and not in CA policies that can accidentally Block them.
- 5Once a quarter, test that a user can sign in with only the backup key, on Windows and on cloud portals. A key that is not tested fails on the worst possible day.
When to bring us in
Lose both keys without a backup account and you are looking at a Microsoft support case of days or weeks before admin access is restored. Costly, slow, and not how you want to learn this path the first time.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.